This blog post discusses the Virginia Consumer Data Protection Act (CDPA). Note: This is not meant to provide legal advice or guidance.
Virginia (VA) Consumer Data Protection Act (CDPA)
On March 2, 2021, the Commonwealth of Virginia became the second U.S. state to sign into law privacy protections for individuals, called the Consumer Data Protection Act (CDPA) (IAPP 2021). It “establishes a framework for controlling and processing personal data” (CDPA 2021). This new data protection regulation has some similarity to other data protection regulations, such as that of the European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It takes effect January 1, 2023.
Applicability and Scope
The CDPA (2021) applies to anyone (persons or entities) that:
- Conducts business in Virginia or produces products or services that target residents of Virginia; and
- During a calendar year, meet minimum criteria for amount of personal data processed or controlled (at least 100,000 consumers); or, meet lower standard for data (at least 25,000 consumers) and derive more than 50% gross revenue from the sale of personal data
The CDPA defines a “consumer” as a “natural person who is a resident of the Commonwealth acting only in an individual or household context” (CDPA 2021).
The CDPA does not apply to the following information and data (CDPA 2021):
- Identifiable private information subject to 45 CFR 46 (Federal Policy for the Protection of Human Subjects)
- Identifiable private information that’s collected as part of research pursuant to good clinical practice (GCP) and U.S. Food and Drug Administration (FDA) regulations (21 CFR 50 and 56)
- Personal data used or shared in research conducted with certain requirements
The regulation also exempts information used for public health activities and purposes (as authorized by HIPAA) (CDPA 2021).
Compliance and Enforcement
The regulation will be enforced by the Virginia attorney general and there are fiscal penalties for violations.